PEAP: Pwned &j 




Extensible 

Authentication 

Protocol 





ShmooCon 2008 

Joshua Wright, jwright@willhackforsushi.com 

Brad Antoniewicz, Brad.Antoniewicz@foundstone.com 



Agenda 



Introductions 



Evolution of wireless 

IEEE 802. 1X and EAP overview 

EAP attack surface 

Attacking EAP types 

Conclusion 



Introductions 




Works for Foundstone 

Hacks stuff for a living 

Can hold his liquor 




Hacks for Sushi 

Has mercury poisoning 

Drunk on O'Douls 



WLAN Security Evolution 

WEP has been dead since 2001 

- Thomas d'Otreppe et al at Aircrack-ng 
continue to do great work here 

LEAP deployments considerably fewer 
today than 2003 

WPA/WPA2 specify strong encryption, 
strong authentication mechanisms 

Commonly available EAP types provide 
reasonable security for most organizations 



IEEE 802. 1X in One Slide 

Network access authentication at layer 2 

- EAP provides authentication, WEP/TKIP/CCMP 
provides encryption support 

Supplicant, PAE (Authenticator), Authentication 
Server 

Supplicant and authentication server use an 
EAP type to authenticate, negotiate keys 

- PAE is agnostic to EAP type (except LEAP) 

Supplicant communicates via EAPOL, forwarded 
by PAE to auth. server in RADIUS TLV attribute 






Not all EAP types are created equal 



RFC4017 - EAP Requirements 

» Specifies requirements for EAP methods 
» All standard EAP methods must provide: 

- Mutual authentication 

- Resistance to dictionary attacks 

- Protection against MitM attacks 

- Protected ciphersuite negotiation 

» EAP methods that fail these requirements 

- EAP-MD5, EAP-OTP, EAP-GTC, LEAP 

• EAP methods that pass these requirements 

- PEAP, TTLS, EAP/TLS, EAP -FAST 



EAP Attack 
Surface 






How does EAP on wireless AP's 
expose your organization? 



EAP Exposure 



Any unauthenticated user can initiate an 
EAP conversation 

- EAP can be complex to parse with support for 
fragmentation, retries, complex data structs 

- Cisco AP crash by Laurent Butti, Benoit 
Stopin, malformed EAP Identity Request 

EAP communicates with RADIUS server 
from any unauthenticated user 

- More complexity in EAP frame parsing 

- Pwn the RADIUS server, Pwn the World! 



Client and Server Choices 

Many supplicant choices available 

- Native supplicants in Windows/WZC and OSX 

- Commercial supplicants from Funk/Juniper 
and MeetingHouse/Cisco 

- Free supplicants including wpa_supplicant, 
SecureW2, OpenIX 

Several RADIUS choices available 

- Windows IAS, Cisco ACS, Juniper SBR, 
FreeRADIUS 



Represents lots of unexplored code paths 



New FreeRADIUS Release! 



O FreeRADIUS: The world's most popular RADIUS Server - Mozilla Firefox 



File Edit View History Bookmarks Tools Help 
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Done 



2008.02.14 Version 2.0.2 (sig) has been released. The focus of 
this release is stability. 

Feature Improvements 

• Added notes on how to debug the server in radiusd. conf . 

• Moved all iog_* in radiusd. conf to iog{ } section, The old 
configurations are still accepted. 

• Added ca.der target in raddb/certs/Mafeefile. This IS 

needed for importing CA certs into Windows. 



Added ability send raw attributes via Raw-Attribute = 
oxoio2. . . This is available only debug builds. It can be 
used to create invalid packets! Use it with care. 



Hermit uniang policies inside otAutn-Typeo sub-sections 
of the authenticate {} section. This makes some policies 
easier to implement. 

listen sections can now have type = proxy. This lets 
you control which IP is used for sending proxied requests. 
Added note on SSL performance to raddn/cer us/readme 



Built-in 

Fuzzing 

Capability! 



Attacking 
EAP Types 






A look at EAP-MD5, LEAP, 
EAP- FAST, PEAP and TTLS 



EAP-MD5 



Early, basic 

authentication 

mechanism 

Not RFC401 7 compliant 

No support for 
encryption key delivery 

No native supplicant 
support in Windows 

Available native in OSX 
or Odyssey 

Server support in ]AS, 
ACS, SBR, FreeRADIUS 



,f Internet Authentication Service 
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File Action View Help 
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Edit Dial-in Profile 
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^ Dial-in Constraints 

E Authentication 

Select the authentication methods you want to allow for this connection. 



IP 
Encryption 



Multilink 
Advanced 



4 



EAP Methods 



Select EAP Providers 



EAP types are negotiated in the order in which they are listed. 

EAP types: 

I Protected EAP (PEAP) 



MD5-Challenqe 






Add 



On by default in 

IAS, users could 

choose to use 

this EAP type 

over PEAP 
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EAP-MD5 Exchange 






802.11 authentication/association 
EAP Identity Request 



EAP Identity Response RADIUS Identity 

► ► 



[ RADIUS server generates a 16-byte MD5-Challenge, sends as EAP-Request ] 
EAP Request 

[ Client calculates MD5(response ID | password | challenge), returns to RADIUS ] 
EAP Response 

EAP Success/Failure 



eapmd5pass 



• Simple password auditing tool, GPL 

• Read from libpcap file or monitor-mode 
interface 

jwright@Ehal[iuiriL/tirip/eapmd5pa55 — ssh — 62x17 




thaLLiiB eqncEpass $ ./eapmdEpass 

eapmdEpass - Dictionary attack against EAP-MDE 

Usage: eapmdEpass [ -i <int> I -r <pcapfile> ] [ -w wordfiLe ] [cptions] 

-i <iface> interface name 

-r -*pcapfile> read from a named Libpcap file 

-w 4wordfiLe> use wordfiLe for possible passwords. 

-b -±i3sLlJ> B33ID uf L-uiyeL- neL-'JuiK (UefuulL: uLL) 

-v increase verbosity Level (max 3) 

-V version information 

-h usage information 
thaLLiiB etfncEpass $ ./eapmdEpass -r eapmdS-sampLe.dump -w diet 
Collected all data necessary to attack password for "jwright", starting attack. 
User password is "beaVIs" . * 

3917111 passwords in 9.9E seconds: 393746.93 passwords/second . [t 

thaLLiiB etfBcEpass $ | 
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LEAP 

Security through obscurity with a 
proprietary protocol 

Uses MS-CHAPv1 challenge-response 
authentication mechanism 

- 8-byte challenge, 24-byte response 

- Response calculated using 3-DES keys from 
16-byte password NTLM/MD4 hash 

- Third DES key is weak, accelerating 
dictionary attack 

Only available on Cisco AP's, not a 
compliant EAP type 



Asleap 



Offline dictionary attack against LEAP 

Also applies to PPTP, and any MS-CHAPv1 or MS- 
CHAPv2 challenge/response mechanism 

- Specify challenge and response as command-line 
parameters 

- Thanks to Jay Beale for this suggestion 

4 TB limit on precomputed hash lookup files 



asleap $ ./asleap -C ce:b6: 98: 85:c6:56:59: Oc -R 72: 79 :f 6:5a:a4 
:58:22:c8:9d:cb:dd:73:cl:b8:9d:37:78:44:ca:ea:d4 -f dict.dat -n diet . idx 
asleap 2.1 - actively recover LEAP/PPTP passwords. < jwright @hasborg.com> 

hash bytes: 5 86c 

NT hash: 8846f 7eaee8fbll7ad06bdd830b7586c 

password: jaybealehasaposse 

thallium asleap $ 



EAP-FAST 

Cisco-developed EAP type following LEAP 

- Designed to be simple but secure 

Leverages Preshared Authentication 
Credentials (PAC) 

- Effectively a file- based authentication 
credential 

Challenge is in PAC provisioning 

- Manual option; sneaker-net copy PAC's 

- Automated option; anonymous DH 

- Automated option with validation; RSA 



EAP-FAST PAC Provisioning 

PAC provisioning is secure, or simple, but not 
both 

Anonymous DH susceptible to AP impersonation 

- User discloses credentials using inner EAP method 
(e.g. EAP-MSCHAPv2) 

- Clearly identified in EAP-FAST docs cisco.com 

Fix is to provision a trusted certificate on 
clients and RADIUS to secure PAC exchange 

- Not simple, requires touching all workstations 



Many users leave anonymous provisioning enabled, AP 
impersonation reveals weak credential exchange for new clients 



PEAP and TTLS - Background 

Drafts introduced 2001/2002 leveraging 
tunneled authentication 

- Inner tunnel leveraging legacy authentication 

- Outer tunnel using TLS, protects inner tunnel 

Satisfies RFC4017 for mutual authentication, 
MitM attack mitigation, symmetric key 
derivation 

Requires certificate on RADIUS for STA to 
validate server identity 

TTLS differs primarily with support for any 
inner authentication protocol; PEAP=MS-CHAPv2 



PEAP Transaction 
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TLS Tunnel Establishment 



TLS-Protected Exchange 



Identity Request 



Identity Response ("brad") 



MS-CHAPv2 RAND Challenge 



MS-CHAPv2 Response/Challenge 



MS-CHAPv2 Success/Response 



"S 

A-> 

Q. 

£" 
U 

c 

CD 

C 



CD 

■i-> 

Q. 

u 

c 



Server Validation 

TLS provides authenticates validation 

Supplicant retrieves certificate from 
authenticator 

- Identifies signing authority 

- Validates as trusted CA 

- Compares CN of certificate to trusted RADIUS 
hostname 

Authentication server authenticates 
supplicant with inner authentication 
method 



HTTP TLS Validation 



> Google - Mozilla Firefox 
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Security Error: Domain Name Mismatch 



You have attempted to establish a connection with 
"bankjofamerica.com". However the security certificate presented 
belongs to "www.bankjofamerica.com", It is possible, though 
unlikely, that someone may be trying to intercept your 
communication with this web site. 



If you suspect the certificate shown does not belong to 
"bankjofamerica.com", please cancel the connection and notify the 
site administrator, 



View Certificate 



OK 



Cancel 



uuuyie juqilii i 1 1 1 i e e 1 1 1 1 y i_u ut\y 



My Account | Sign out 



Advanced Search 



Preferences 
Language Tec Is 



Connected to bankDfamerica.com... 



What happens when Joe User clicks "OK"? 



PEAP Weakness 

Validation of RADIUS server based on 
certificate validation 

- Trusted issuing authority, matching CN 

Many PEAP deployments fail to properly 
deploy 

Malicious RADIUS server grants access to 
inner authentication methods 

- PEAP: MS-CHAPv2 

- TTLS: MS-CHAPv2, CHAP, PAP, etc. 



Windows WZC (1) 



Many users disable 
server certificate 
validation altogether 

Anyone can 
impersonate the 
RADIUS server 

Simple Pwnage, easily 
attributed to client 
configuration failure 



Protected EAP Properties 



When connecting: 
I l|yaMjt6_seryer_cer|ificate^ 

| ! Connect to these servers: 



Trusted Root Certification Authorities: 



I I Autoridad Certificadora del Colegio Nacional de Correduria P jfl 

□ Baltimore EZ by DST 

I I Belgacom E-Trust Primary CA 

□ C&W HKT SecureNet CA Class A 

□ C&W HKT SecureNet CA Class B 

□ C&W HKT SecureNet CA Root 

□ C&W HKT SecureNet CA SGC Root v 



< 



> 



^] Do not p_rompt user to authorize new servers or trusted 
certification authorities. 



Select Authentication Method: 



Secured password (EAP-MSCHAP v2) 



Configure, 



Z\ Enable Fast Reconnect 



OK 



Cancel 



Windows WZC (2) 



Default WZC 
configuration 

Server certificate is 
validated 

WZC prompts user 
to validate server 
certificate 

Only signing 
authority is shown 
in dialog 



Protected EAP Properties 



When connecting: 
0jValidate server certificate; 

H Connect to these servers: 



? X 



Trusted Root Certification Authorities: 



] Autoridad Certificadora de la Asociacion Nacional del Notaria *>_\ 
d Autoridad Certificadora del Colegio Nacional de Correduria P - 

□ Baltimore EZ by DST 

I I Belgacom E-Trust Primary CA 

□ C&W HKT SecureNet CA Class A 

□ C&W HKT SecureNet CA Class B 



Validate Server Certificate 



The Root Certification Authority for the server's certificate is: 

Veripwn Trust Network 
If this is the correct certif icate, click OK to connect and you will not see 
this message again. Click CANCEL to drop connection. 



View Server Certificate 



OK 



Cancel 



Windows WZC (3) 



Worst possible "valid" 
configuration for WZC 

Any certificate 
matching the selected 
CA is trusted 

- Regardless of CN 

Trivial for attacker to 
sniff login and 
identify trusted CA 

Attacker buys cert 
from trusted CA for 
any CN 



Protected EAP Properties 



When connecting: 
[^1 Validate server certificate 

"2 Connect to these servers: 



Trusted Root Certification Authorities: 



□ UTN-U5ERFirst-Network Applications 


Al 


□ UTN-U5ERFirst-Object 




[] Veri5ign Trust Network 




] Veri5ign Trust Network 




] Veri5ign Trust Network 




] Veri5ign Trust Network 


_, 


1 1 Veri5ign Trust Network 


V | 


,< 1 mi ] ,>. 





[]Do not p/ompt user to authorize new servers or trusted 
certification authorities. 



Select Authentication Method: 



Secured password (EAP-MSCHAP v2) 



v 



Configure, 



H Enable Fast Reconnect 



OK 



Cancel 



Juniper (Funk) Odyssey 



Does not ship with 
any trusted CA's 

Administrator must 
preconfigure trust, 
or allow users to 
select trusted /not- 
trusted 

Prompted each 
time, or added to 
stored trust 



Odyssey Access Client 



You are about to authenticate to an untrusted server! 
To terminate communication, press [No] 
To temporarily trust this server, press [Yes] 
To permanently trust this server, check "add this trusted server to 



the database" and press [Yes] 



Certificate chain: 



Veripwn Trust Network 
■■■■ radiusl .veripwn.com 



View . 



Permanent trust 

I I Add this trusted server to the database 

Server name must end with: 



radius1.veripwn.com 



Proceed to authenticate with this server? 



Yes 



No 



o 
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OSX Supplicant (1) 



Verify Certificate 



I 



802. IX Authentication 

The server certificate is signed by an unknown root certificate authority. 

O Verify Certificate 



Q Show Cert 





802. IX Authentication 

The server certificate is signed by an unknown root certificate authority. 



1 Always trust "radiuisl.hasborg.com" 



ss I -certi fi cate -center.ve ri pwn .com 
'£j radius!, hasborg.com 




radi us 1. hasborg.com 

Issued by: s si -certificate- center.veripwn.com 

Expires: Wednesday, December 3L r 2008 5:09:59 PM ET 

OThis certificate was signed by an untrusted issuer 



p- Trust 
p- Details 



® 



Hide Certificate 



("Cancel j ( Continue ) 
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OSX Supplicant (2) 



Verify Certificate 



802. IX Authentication 

The server certificate is not trusted because there are no explicit trust 
settings. 



2 Always trust these certificates 



Entrust.net Secure Server Certification Authority 





radiusOL.Litah.edu 

Issued by: Entrust.net Secure Server Certification Authority 
Expires: Monday, August 3 r 2009 12:48:22 PM US/Mountain 
©This certificate is valid 



► Details 

►■ Trust Settings 



(?) ( Hide Certificate ) 



l^ Cancel j fr Continue j 
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Attacking PEAP Deployments 

» Users often left with decision to 
trust/ reject network 

- "Security in the hands of the end-user" 

» Attacker impersonates SSID 

- Untrusted certificate, user decides 

- Trusted certificate in WZC silently accept in 
some configurations 

» Supplicant performs inner authentication 
with attacker; grants access to exchange 



Attacker's RADIUS Server 

1 . Returns success for any authentication 
request (to continue authentication 
exchange) ] 

2. Emulates victim network following 
authentication (e.g. KARAAA) 

3. Logs authentication credentials 
(challenge/response, password, 
usemame) 

4. Potential to accelerates credential 
cracking with fixed challenge 






freeradius-wpe 

Patch for FreeRADIUS 2.0.2 

Adds logging for authentication 
credentials 

- TTLS/PAP: Usemame/ password 

- TTLS/CHAP: Challenge/ response 

- PEAP/MS-CHAPv2: Challenge/response 

- A few others 

Returns success for any credentials where 
possible 



FreeRADIUS WPE 

• Setting up rogue RADIUS in 8 easy steps 

• Setup AP using RFC1918 address, RADIUS 
shared secret of "test" 

• Logging in /usr/local/var/log/radius/ 
f reeradius-server-wpe. log 

$ tar xvfj f reeradius-server-2 . . 2 . tar . bz2 

$ cd f reeradius-server-2 . . 2/ 

$ patch -pi < . . /f reeradius-wpe-2 . . 2 .patch 

$ ./configure && make && sudo make install && sudo ldconfig 

# cd /usr/local/etc/raddb/certs 

# . /bootstrap 

# radiusd 

# tail -f /usr/local/var/log/radius/f reeradius-server-wpe . log 



I love you 
Annie 




Combining Tools 



polonium radius # tail -f freeradius-server-wpe.log 
mschap: Sat Feb 2 22:10:08 2008 



username: hrollins 

;hallenge : 08: 92: 54: d7: 3c : 33: c7: b7 

^esponse : bb : 6e : 8f : 4f : 57: c8: da : 71 : 3e : e4: 91 : a7: 
58: 79: ac: 5a :a9: 53: 36: r 



jwright@polonium ~/asleap-2.1 $ ./asleap -f dict.dat -n die 

t.idx -C 08:92:54:d7:3c:33:c7:b7 -R bb:6e:8f :4f :57:c8:da:71 

:3e:e4:91:a7:dd:40:df : 58:79: ac :5a: a9: 53: 36:05: ba 

asleap 2.1 - actively recover LEAP/PPTP passwords. <jwright 

@hasborg.com> 

hash bytes: OOcc 

NT hash: ac8e657f83df82beea5d43bdaf78G0cc 

password: anncoulter 
jwright(apolonium -/asleap -2.1 $ I 



Unsuspecting 
victim 



DEMO 






Are PEAP and TTLS Broken? 

No, PEAP and TTLS can be secure when 
deployed carefully 

Caution in configuring supplicants 

- Distribute private CA certificate, or buy from a 
public CA 

- Always validate server certificate 

- Manually identify CN's of authorized RADIUS servers 

Is my supplicant secure? 

- Supplicants must include a feature to reject (not 
prompt) RADIUS CN's that do not match 

- Odyssey, WZC accommodate this today 



Proper WZC Supplicant Config 



Always validate certificate 



Specify CN on certificate(s) 



Specify trusted CA 



Forbid user from adding new 
trusted RADIUS servers 



Microsoft KB941123: "How to configure 

PEAPvO to reduce potential risks against 

man-in-the-middle attacks and against 

password-based attacks when you use 

authentication servers in Windows Vista or 

in Windows Server 2008" 



Protected EAP Properties 



When connecting: 
W\ Validate server certificate 

3 Connect to these servers: 



radius 1 .rmyorg.com; radius2.rnyorg.com 



Trusted Root Certification Authorities: 



] VeriSign Trust Network 
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] Veri5ign Trust Network 






U VeriSign Trust Network 






] VeriSign Trust Network 






] VeriSign Trust Network 






] VeriSign Trust Network 




, 


] VeriSign Trust Network 




- 
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7\ Do not p_rompt user to authorize new servers or trusted 
certification authorities, 



Select Authentication Method: 



^Secured password (EAP-MSCHAP vf 



Configure. 



H Enable Fast Reconnect 



OK 



Cancel 



Summary 

• Evolution of WLAN security relies on 
strong EAP types for authentication 

• EAP-MD5, LEAP should not be used 

• EAP-FAST suffers from complexity or 
weak security in PAC provisioning 

• Common PEAP/TTLS deployments are 
secure 

- Can be fixed with careful deployment steps 

• Tools/patches at willhackforsushi.com 
Knowledge helps us all to defend our networks 



Questions? 
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Code at www.willhackforsushi.com/offensive.html (Monday) 

Brad's Paper at www.foundstone.com 



Extra Stuff 






Stuff we moved to the 

end of the 

presentation for time 

consideration 



MS-CHAPv1 Challenged 

• Normal MS-CHAPv1 behavior: 

1 . RADIUS^STA: 8-byte challenge 

2. STA^RADIUS: DES(challenge) *3, return 24-byte 
response 

3. RADIUS compares observed response to calculated 
response 

• Attacker knows challenge and response, 
challenge acts as a "salt" 

• Pwned MS-CHAPv1 behavior: 

1 . RADIUS^STA: Fixed challenge "00000000" 

Removing random challenge allows attacker to implement a 
precomputed lookup table of responses for a given hash 



LEAP or TTLS/MS-CHAP Attack 

• Fixed challenge from attacker removes 
uniqueness ("salt") from exchange 

• Accommodates RainbowTable attack 
using challenge/ response 

$ . /rcrack mschap_loweralpha#8-8_l_256xl0000_mschap. rt -h 
9bbl789e3el224c563bab42517dd097d3dd4de4498d3d3al 

searching for 1 hash. . . 

plaintext of 9bbl789e3el224c563bab42517dd09 7d3dd4de4498d3d3al is 

p jpxwi j t 

cryptanalysis time: 0.00 s 



statistics 



plaintext found: 1 of 1 (100.00%) 

total disk access time: 0.00 s 



total chain walk step: 36 



9bbl7 8 9e3el2 2 4c563bab42 517dd0 9 7d3dd4de4 4 9 8d3d3al pjpxwijt 
hex:706a707877696a74 



